Tag: browser

Rant: Chrome is the New Nanny Browser

Part of my job is to look at possibly naughty and dangerous sites. Usually Chrome gives me an ‘are you sure?’ warning before I look at a hacked site, and I understand why. But see, my job involves me going to known hacked sites, seeing what’s going on, reverse engineering, and fixing. So yes, Chrome, I need that ‘I’m sure’ option.

Lately Chrome hasn’t been giving me an option. It’s been saying no.

So I went to the documentation, Can’t download files on Chrome, to find out how to turn it off and I was annoyed.

If you don’t want Chrome to show you download warnings, you can turn off your phishing and malware protection setting. Turning off these warnings will also turn off other malware and phishing alerts:

I want phishing protection!

Actually what I want is Chrome to say “This download may harm your computer. Don’t download it if you have auto-expand or auto-run on for downloaded files. Are you sure you want to download this?” and default to NO.

And no, I’ve not figured out how to do this yet.

31 July, 2015
Even Better Drag And Drop!

Not that long about I realized you could drag a file to the “choose file” button.

On Chrome you can also drag it from the download bar.

Here’s my file on the download bar:

And when I click and drag it up…

Sometimes it’s really the little things that brighten my day. This works for the ‘choose/select file’ buttons as well, and clearly works in WordPress for media. This also means when I download an image from one of my favorite free image sites, I can click on it in the download bar to edit it and then drag the image from the bar to upload the edited image. I never have to open the downloads folder.

Of course, my downloads folder gets pretty full after a while.

24 October, 2014
Drag to Choose File

I don’t know why I never knew this. Did you know you can drag a file to the ‘select file’ button on Chrome?

You know the button, right, this one that just says Choose File:

I happened to be testing if the drag/drop area was working (it wasn’t) and I noticed the button changed colors when I dragged the file over it:

So I let go and it was there:

And yes, it worked. This will save me hours of work!

1 October, 2014
HSTS and Chromium
I use Chromium, which is like the super most beta beta of Chrome, for one reason: It lets me run Chrome ‘twice’ in separate environments. I have a reason for it, but it doesn’t matter for the purpose of this post. Neither does the reason why I was editing a subdomain I rarely use. What matters is this.

I went to http://test.ipstenu.org and I got this:

My bp must have dropped because my first thought was “Oh shit, I’ve been hacked!” and I got the cold sweats. After a rant on Twitter and a plea for test help, I determined this was only happening on Chromium, which was interested, and my friend Benny pointed me to this Chromium Issue: Issue 350912: Chrome fetches https URL even when http URL explicitly specified which sure sounded right.

Now the rest of the error was telling me that test.ipstenu.org was asking I use HTTPS (which it was not) and that the SSL Cert didn’t match that domain (which was correct, but again, there is no SSL cert for that subdomain). Weird, right? Why would it force https when I didn’t ask it to! But what if I was? As I read through the ticket, I saw that you could see the headers better at chrome://net-internals/#hsts so I ran that and got this:
```
mode: STRICT sts_include_subdomains:true pkp_include_subdomains:false sts_observed:1402609861.497659 pkp_observed:1402608721.515596 domain:test.ipstenu.org pubkey_hashes: [...]
```
That was odd. I knew I’d set this in my .htaccess file:
```
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
```
But from what I’d read that was getting set only if you accessed the site via HTTPS (or anything on the page was HTTPS). After all, no other browser was acting like this, not even Beta Chrome. Still I turned it off, flushed my server cache, flushed my browser cache, and deleted the TransportSecurity files from Chrome. Now it worked. Turned it back on? Error came back.

It was here I realized “Chromium has decided that if you set HSTS, you mean that everything should be HTTPS regardless of the domain…” Well that’s just peachy! I pulled the HSTS line from .htaccess and instead tossed it into a PHP file for the subdomain(s) where I needed it:
```
header("Strict-Transport-Security:max-age=15768000; includeSubDomains");
```
Now. There are two situations particular to me that make this an epic pain in the ass:

First, I’m using WordPress multisite and I have SSL turned on for one domain. Second, I’m using WMH, which means editing my vhosts file to make this work properly is more of a hassle than it’s worth.

Really wouldn’t it make more sense to check “Is this an HTTPS page? No? Okay, skip!” But this is a (to me) departure from the logic train. As my friend James (and I) understood, the logic of HSTS was “If any aspect of the page is HTTPS, force HTTPS” Instead of that happening, if you went to, say, ‘fake.ipstenu.org’ instead of going to my about page (yes, that’s on purpose), it gave me the error. If you go to ‘https://fake.ipstenu.org’ you should get a specific warning page and then a ‘shucky darn!’ page. And yet here I saw that no matter if I picked HTTPS or HTTP, I was forced to HTTPS and that’s just silly.

Does my fix work? Of course. Am I happy? Nope! Oh, and yes, I filed a bug report with Chromium. You can read it at Issue 384069: HSTS in .htaccess forces https even when not specified
13 June, 2014
Extending Chrome
I had a problem.

If you know me at all, you know this is how 99% of my code lessons start. I have a problem I can’t solve easily, so I dig into it and write about it. In this case, my problem was one of those really stupid, messy things where I needed to force some code to run on certain pages and I didn’t have any access to those pages. Why? Well … let’s just say I wanted to make something like the Hey Girl chrome extension okay? Yes, I need an extension for Google Chrome.

It doesn’t really matter what you’re making, what matters is how easy it is to make a Chrome Extension. It really only needs two files, a manifest.json and then your content files. Let me explain by making Google Red.

Manifest

The manifest is where you list what’s in the Extension. It’s going to have the name, summary, what files to call, when and where. A really simple example would be like this:
```
{
"name": "Half-Elf's Chrome Extension",
"description": "This is an example extension that doesn't do anything useful at all.",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
    {
      "matches": [
                 "http://www.google.com/*",
                 "https://www.google.com/*"
                 ],
      "css": ["mystyle.css"],
      "js": ["myscript.js"]
    }
  ]
}
```
This is pretty straight forward. Name, description, etc. The value for manifest_version has to be the number 2, no quotes, no matter what. This is mandated by Google. They don’t use it yet, but they will. Then we get to the fun stuff, content_scripts, which is also pretty obvious. Using “matches” says “Only run this when the URL matches…” This is an inclusive match. For a different example, here’s an extension I want to run on every website, but not when I’m in wp-admin:
```
"content_scripts": [ {
	"matches": [ "http://*/*", "https://*/*" ],
	"exclude_globs": [ "http://*/wp-admin/*"],
	"css": [ "mystyle.css" ],
	"js": [ "myscript.js" ]
} ]
```
You can take this even further and only have it take action at specific actions (like when you make a tab active). The content_scripts documentation is pretty overwhelming, but it has all sorts of options. Today, though, saying we want to match just Google’s pages is okay.

In order to do this, I made a blank file called manifest.json and saved it in my ‘Development’ folder called~/Development/Chrome/extensions/GoogleRed but this doesn’t actually matter. Save it anywhere on your computer. Just know where it is. I also put blank files for mystyle.css and mystyle.js in there because they’re my content files! They’re blank, we’ll get to the real code soon.

Content Files

This is the fun part. The content files are what makes the magic happen and the super cool thing? It’s all basic JS or CSS or HTML. Seriously. Anything you can do in those languages, you can do in an Extesion and call it a day. For example, here’s one I used to strip referrers from URLs on Facebook (I was experimenting):
```
document.body.innerHTML = document.body.innerHTML.replace(new RegExp('?fb_source=pubv1" target="', 'g'), '" target="');
```
I set this to only run on Facebook.com and it was exactly what I needed. I admit, there are better JS ways to do this, but I suck at JS still, so this was as far as I got.

The Example

Google actually already made the files, so you can download them from Chromium “Make Page Red” and toss them in your folder. My files are as follows:

mainfest.json
```
{
	"name": "Page Redder",
	"description": "Make the current page red",
	"version": "2.0",
	"permissions": [
		"activeTab"
	],
	"background": {
		"scripts": ["myscript.js"],
	    "persistent": false
	},
	"browser_action": {
	    "default_title": "Make this page red"
	},
	"manifest_version": 2
}
```
myscript.js
```
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
	
// Called when the user clicks on the browser action.
chrome.browserAction.onClicked.addListener(function(tab) {
  // No tabs or host permissions needed!
  console.log('Turning ' + tab.url + ' red!');
  chrome.tabs.executeScript({
  code: 'document.body.style.backgroundColor="red"'
 });
});
```
That’s it. Two files. But how do I get it installed?

Adding it to Google Chrome

Go to chrome://extensions/ in Chrome and you get this kind of view:

See the box on the upper right? Developer Mode? Check it. Now you get extra information!

What interests us the most here is “Load unpacked extension…” but also that ID code jcpmmhaffdebnmkjelaohgjmndeongip is really important. This tells me where the extension lives on my computer, because I can go to ~/Library/Application Support/Google/Chrome/Profile/Extensions/jcpmmhaffdebnmkjelaohgjmndeongip and see all the code for the other extensions. This makes it super easy for me to fork them. Since this is all just for me, and I have no plans to release them, I’m less worried about licenses than I might be, but I still am in the habit of checking what they are and so should you. Your folder locations will vary depending on your OS, and how many Google Profiles you have (I actually have 3 – me, work, fansite).

Click that “Load unpacked extension…” and select the folder:

Once you upload it, you get this:

Now you know where the file is, but also you get a special link for Reload (⌘R) which is a life saver. Click that and any changes you made to your source files are re-installed into Chrome! This is great because Google’s example of making pages redder? Doesn’t work.

Okay, that’s not fair, it does work, just not on every page. It didn’t work on https pages for me until I edited the manifest and changed permissions from "activeTab" to "activeTab", "tabs", "http://*/*", "https://*/*" and then clicking on the magic button worked:

It’s kind of nice to be able to bully things around that way.

I’m just dabbling my toes into the Extensions water, and I find it highly powerful to push Chrome into my paths right now. Have you written any extensions?
27 November, 2013
Chrome Dumps Webkit

Chromium, the machine behind Chrome, has dumped Webkit.

This speaks for us all:

Chrome is no longer using webkit. Every developer in the world:http://t.co/3wIT6XCaxO

— soully (@soully) April 3, 2013

I’m not sure what’s going viral first, that gif or a ‘Don’t blink’ joke that someone has yet to make up. Oh, the new system is called Blink, and it’s open source.

We know that the introduction of a new rendering engine can have significant implications for the web. Nevertheless, we believe that having multiple rendering engines—similar to having multiple browsers—will spur innovation and over time improve the health of the entire open web ecosystem.

Yes, this means we all get to use even more browsers to make sure our sites look okay on all of them. Again. Thanks. And while they say it’s ‘based on’ webkit, that’s about as ‘related to’ as when Law & Order would say ‘The following episode is based on a true story, only names have been changed…’

This prompted my coworker Shredder to opine “Are Google and Mozilla late-april-fooling us?”

Did you miss the Mozilla/Samsung partnership? ~~Or maybe you didn’t notice that Opera moved too Webkit in February.~~ No wait! OPERA SWITCHES TO BLINK

Okay, Rarst is right: They’re out to screw over Apple.

Well, I don’t know about you, but I can’t wait to see the new ways in which my sites break!

3 April, 2013